A flaw was found in Jenkins. The fix for SECURITY-499 introduced a mechanism that renamed user directories on disk as a user with an unsafe user name (user ID) is loaded. Insufficient input validation allowed attackers to rename such user directories even for users with a safe user name by submitting a crafted user name when attempting to log in, even with an invalid password. Doing so prevented users from logging in successfully afterwards.
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1656907]